[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 836
  • Last Modified:

ISA 2006 Client\User Certificates Issue...

I was wondering if the statement below is true for ISA 2006, as it was in ISA 2000 and I believe ISA 2004?

 

If you’ve tried to allow users to authenticate with the Incoming Web Requests listener and the internal network Web server, you’ve realized it doesn’t work. There is only one way to get authentication to work on both the Incoming Web Requests listener and the Web server on the internal network. The only scenario that allows authentication at both the ISA Server and the internal network Web server is when the Incoming Web Requests listener uses client certificate authentication and the internal network Web server uses Digest, Integrated or Basic authentication.

 

Is this the only scenario that requires the use of client\user certificate authentication for any version of ISA?

 

 

   It looks like in ISA 2006 as long as we have SSL bridging on we can secure communications via SSL from the ISA server to the web server too, as well as or in addition to configuring a secure SSL connection from the web-client to the ISA server itself via the listener. Seems like in ISA 2006 you don’t need dual authentication, both at the ISA and at the web server to have full end to end SSL.

 

Is that now true in ISA 2006?

 

Or has this always been possible in all versions of ISA?

 

More to the point does it hold on all versions that for dual authentication you must use client certificates?

 

Meaning is it the only time client\user certs are required?

 

But if you don’t want\need dual authentication, meaning just authenticating at the ISA, can still have end to end SSL on ISA 2006 without the use of client certificates?

 

{is it also true for ISA 2004 and 2000?}

 

Also in the scenario where no client\user certificates are involved does ISA never then need to communicate with a CA to verify certificates via a CRL to maintain\ employ end to end SSL?

 

 Because at this point our certs on ISA show as invalid or expired, as we are not allowing any web traffic from ISA out.

 

I know there is a CRL http rule out, but not sure if we need to allow that with web clients just authenticating at ISA and not the web server too? i.e. dual auths

 

In the scenario where authentication takes place only at the ISA listener does it matter that we have not allowed access to the web to access CRL data?

 

 As I know that a cert is considered invalid if not verified against a CRL, {why our ISA certs have a red X, i.e. show as invalid\expired}but it none the less does match the certs on the web server, which themselves unlike the ISA server do not have a red x on the cert, as it can verify the cert because it has web access.

 

Do we need to allow a one time {or continuous} access to a\the CRL site to get the red x off the ISA certs if were only authenticating web clients once via the ISA listener for end to end SSL?

 

Paul…

 

0
inuic
Asked:
inuic
  • 5
  • 4
1 Solution
 
Keith AlabasterEnterprise ArchitectCommented:
First, please do not leave all that white space between your comments, makes it a nightmare to read through.

In 2004 and 2006 you had the option of either tunneling SSL or bridging it. many people prefer tunnelling whereby you only have the cert on the web server and ISA tunnels the traffic directly through to the web server. Upside, cert only on the web server, downside is that ISA cannot filter the traffic as it cannot decrypt (see inside) the ssl tunnel and so cannot see what the traffic is to accept/reject it.  ie its just a conduit.

the bridging option comes in a number of flavours.

SSL outside to ISA (needs cert on ISA) --- bridge SSl from ISA to web server (needs another cert on web server)
SSL outside to ISA (needs cert on ISA) --- bridge http from ISA to web server (no cert on web server)
http outside to ISA (no cert on ISA)      --- bridge http from ISA to web server )no cert on ISA)
http outside to ISA (no cert on ISA)      --- bridge SSL from ISA to Web server (needs cert on web server)

View the certificate, red x normally means it has failed one of the criteria. Fully Qualified Domain Name (FQDN), out of date, non-authorised certificater etc. Have you imported the certs into the certificate root on ISA also?

Keith

0
 
Keith AlabasterEnterprise ArchitectCommented:
Also, who is your certificating body?

you can add them to the list through the ISA system Policyhighlight the ISA firewall policy.
At the top of the ISA screen, a set of icons appear. hit the last one on the right and it toggles on/off the system policy rules. Towards the bottom of these are the allowed CR sites etc. edit this and add as necessary. Apply the policy then hit the toggle icon again to get rid of the them from the list.
0
 
inuicAuthor Commented:
My main question is about Client\User Certificates, and if they are needed\required for full end to end SSL? It looks like you can have end to end SSL and just use bridging and not employing the extra step of user certificates. Is this just tunneling? In order to have statefull inspection of whats in the SSL tunnel do you need to use user\client certificates? If I dont require authentication at both the ISA server and the Web server and just at ISA and have SSL from the client to ISA, and bridge SSL to the Web server from ISA, is that just SSL tunneling? i.e. not statefull inspection of the data in the SSL tunnel?

Which scenarios allow statefull inspections of whats in the SSL tunnel, when using end to end SSL? Does it require client\user certificates? i.e. dual authentication at both the ISA and web server?

If I just requre authentication at ISA and still brigde SSL to the web server is that just SSL Tunneling?

Im not sure my question\s were really answered by the previous comments. But thanks for the input.

Paul...
P.S. I left white space for room to answer my individual questions, as there were many...
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Keith AlabasterEnterprise ArchitectCommented:
OK, one at a time here..... :)

To perform SPI through ISA you need to bridge, period. Tunnelling means that ISA cannot see what is in the tunnel as its encrypted and acts simply as a carrier for the traffic, not a monitor. ie the client makes the ssl tunnel from their browser directly to the end web server. SSL tunnelling on ISA means it acts like a railway tunnel, the traffic simply passes through as in a conduit.

Bridging means that ISA terminates the connection from the client regardless of whether it is ssl or http. It then opens its own connection between itself and the web server. In this condition it can check the traffic as it has decoded what has come in (and identified it) before repackaging it again for transit to the web server.

Most organistaions use SSL between the ISA and the outside client and then use http (bridge) to the internal web server. Saves on certificates and is the simplest method with the exception of tunneling straight through.

When you click on your certificate and choose the view option, what does it say has failed?
0
 
inuicAuthor Commented:
P.S.

   I have imported the certs into the certificate root on ISA. But we allow no web traffic out, hence the CRL site can not be contacted to verify the certs on ISA. Is that why they have a red x? The same certs on the web server have no red x. I imported my certs to ISA from the web server. To verify the certs on ISA {remove red x} do I need to allow ISA access to the CRL site? We are using verisign as our CA.

Paul...
0
 
Keith AlabasterEnterprise ArchitectCommented:
Sorry, have I been at a tangent here? Yes, ISA will need to contact the site; by default ISA can not talk to much. If you do not want ISA to have general web access then use the option I mentioned above to give limited access.

<<< you can add them to the list through the ISA system Policyhighlight the ISA firewall policy.
At the top of the ISA screen, a set of icons appear. hit the last one on the right and it toggles on/off the system policy rules. Towards the bottom of these are the allowed CR sites etc. edit this and add as necessary. Apply the policy then hit the toggle icon again to get rid of the them from the list. >>>
0
 
inuicAuthor Commented:
How do you configure just SSL tunneling, that is end to end SSL with no bridging then? I know how to do bridging it seems, but still am confused as to when a user\client certificate comes into play? This is more complex then I had hoped...

Paul
0
 
inuicAuthor Commented:
We were able to access the internal web server over SSL even though the certs in ISA have the red x on them... Is that one way its allowed to work. Is it that if I want to use client\user certificates in conjunction to what I am already doing I need to get rid of the red x's on my certs in ISA?

Paul
0
 
Keith AlabasterEnterprise ArchitectCommented:
Maybe it is simpler if I give you some links to check through. I am doing a couple of ISA2000 questions at the moment so cannot get to the screens i need to give you the exact option.

here is the difference between tunnelling and bridging
http://www.isaserver.org/tutorials/Understanding_SSL_bridging_and_tunneling_within_ISA.html

These are the links I post generally to people to explain the process, it may give you the answer you are looking for.
http://support.microsoft.com/default.aspx?kbid=837834&product=isas2004
http://www.microsoft.com/technet/prodtechnol/isa/2004/help/FW_SecureWebPub.mspx?mfr=true
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/publishingwebservers.mspx
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ts_proxy_traffic.mspx
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/tscerts.mspx

I know you are on 2006 but the process is the same

0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now